SysJoker malware was initially discovered to be used by the APT group dubbed “WildCard” and targeted Israel’s educational sector. However, the operations of this APT threat actor have expanded to include additional malware variants, with one of them found to be written in Rust programming language.
This new rust malware has been coined “Rustdown” by the malware developers. In addition to this, the threat actor has also shifted their focus to critical sectors within Israel, like education, IT infrastructure, and electric power generation.
Document
(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’);
(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’);
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ‘ ‘;
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/* display: none; */
}
Free Webinar
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Register for Free
Technical Analysis
Two new malware variants have been discovered, which have evolved from the SysJoker malware. These variants were named DMADevice.exe and AppMessagingRegistrar.exe and were written in C++.
There were three samples of malware variants found in two of them DMADevice.exe and AppMessagingRegistrar.exe.
Timeline of Operation
DMADevice
According to the samples analyzed, this malware had a code similar to SysJoker. Additionally, one unique string was identified to be exactly the same in the SysJoker malware.
It was the custom alphabet “0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghilmnopqrstuvmxyz” that was present in the code of both SysJoker and the DMA device malware variants. This string misses two characters, “jk”, the same on both samples.
AppMessagingRegistrar
This variant was identified to be compiled after the DMAdevice variant and also shares the same code as SysJoker. However, there are different capabilities, XOR keys, and URL paths on this malware. The URL paths used by this malware are,
api/update
/api/register
/api/library
/api/requests
This malware is downloaded from a ZIP file and executed by a DLL file masquerading as Brave browser. Furthermore, the use of Gdrive and OneDrive was similar on both DMAdevice and AppMessagingRegistrar variants of SysJoker malware.
RustDown: The new variant
As of October 2023, the APT group has been found to be relying on a different malware written in Rust, which was a 32-bit Windows executable that disguised itself as a PHP framework component.
The codebase of this malware was new but shared the same Tactics, Techniques, and Procedures of the WildCard APT group.
This malware implements multiple calls to the Sleep API with random time durations which was similar to the SysJoker malware. Additionally, it also copies the executable to another location using PowerShell for persistence.
A complete report about these new variants of SysJoker malware and the WildCard APT group has been published, which provides detailed information about the TTP, source code, hash values, and other information.
Indicators of Compromise
Rustdown
d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72
DMAdevice (SysJoker May 2022 Variant)
e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e92398366c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95
AppMessagingRegistrar (SysJoker June 2022 Variant)
67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706
SysJoker Downloader
96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f
Dead Drop Resolver URL
https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ (RustDown)
https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&resid=F6A7DCE38A4B8570%21115&authkey=AKcf8zLcDneJZHw (DMAdevice.exe)
https://onedrive[.]live.com/download?cid=3014636895E3FE3B&resid=3014636895E3FE3B%21106&authkey=AD4OGrVz9h17Jzo (AppMessagingRegistrar.exe)
C2
85.31.231[.]49:443 (Rustdown)
sharing-u-file[.]com (DMAdevice.exe)
audiosound-visual[.]com (AppMessagingRegistrar.exe)filestorage-short[.]org (SysJoker Downloader)
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post APT Hackers Behind SysJoker Attacking Critical Industrial Sectors can be searched on searchng.ng & dotifi.comCyber Security News.
